A third party security consultant did a Penetration test few of our webapps. One of the findings was a potential session fixation vulnerability.
We have several webapps all Java with single sign on provided by JASIG CAS. To briefly summarize CAS workflow — when a new request comes to webapp(service in CAS terminology) it redirects to preset CAS url. If the user is not already authenticated, it presents a login form and upon successful redirects the browser back to the service with a token. In case the user is already authenticated, it immediately redirects back to service with a token.
The aforementioned vulnerability stems from the fact that the service in question sets the session cookie (named JSESSIONID) when it is redirecting to CAS ie before authentication AND continues to use it after redirect. The claim is since same session id is used before and after authentication it is open to session fixation types of attack.
Given that all services and CAS are working exclusively over https and session cookie is secure, http only and generated at server, is there any way session fixation may be a threat here ?